Airdrop culture could pose integral threat to DeFi industry

Published at: Dec. 31, 2021

EtherWrapped, a project designed to provide a yearly summary of users nonfungible token (NFT) activity, launched a little over eight hours ago to palpable fanfare within the crypto community.

The website detailed a plan to airdrop YEAR tokens based upon quantitative engagement statistics in users' MetaMask wallet, or in simpler terms, their number of transactions, volume traded, a gas fees, among other data.

Upon verification on EtherScan, a number of well-regarded developers and engineering experts in the space assessed the coding of the smart contract. Meows.eth noted that these parties saw a “presence of a function titled _burnMechanism,” but concluded that it was merely a harmless error by the seemingly amateur creator.

What we noticed during a brief pass was the presence of a function titled _burnMechanism.This function looked innocent enough, it would fail if you attempted to interact with the contract owner.What myself and others missed is how might one weaponize it for evil. 7/ pic.twitter.com/CthmAw3a2A

— meows.eth (@cat5749) December 31, 2021

However, unbeknown to all, the creator of the contract maliciously planted this flaw in order to administer the "revokeOwnership" function soon after, designating new ownership to themselves and subsequently orchestrating a honeypot scenario in which users could only buy, not sell, the asset.

Consequently, those who had connected their wallet and received the airdropped token witnessed their asset soaring in value, and as such, fuelled by the alluring propensity of fear of missing out (FOMO), were incited into purchasing more on the secondary Uniswap V2 market.

It must be stated, the action of interacting with the contract or claiming the token did not result in losses, but rather the ensuing investments into the YEAR asset on decentralized exchanges.

According to EtherScan, the malicious entity was able to siphon 59.7 Ether (ETH) from the scam, equivalent to $225,000 at current prices. In addition to this, the Uniswap V2 contract registered $6.8 million in daily trading volume.

Although not a vast amount in the wider context of DeFi’s $139 billion in total value locked (TVL), the incident does highlight the critical importance of reviewing and verifying the authenticity and contractual diligence of newly formed smart contracts prior to connecting Web 3.0 wallets.

Related: Recounting 2021’s biggest DeFi hacking incidents

Decentralization, often in the form of financial distribution, is one of the fundamental principles of Web 3.0. Whereas the previous iteration of the internet curtailed power to centralized Silicon Valley behemoths, Web 3.0 promises to grant power to the people.

Last year, a panoply of decentralized finance projects, including UniSwap, dXdY, ParaSwap, and others, successfully deployed native assets often valued at tens of thousands of dollars to members of their community in a bid to advance the development of their ecosystem.

Last month, ENS become the latest project to showcase the genuine potential for governance models, and more recently, OpenDAO’s SOS token and GasDAO’s GAS token were allocated to those who registered trading activity on leading NFT marketplace OpenSea, and those spent at least $1,559 of ETH on transactional fees.

Now, while these projects are legitimate innovations with openly-documented roadmap objectives, the growing prevalence of such airdrops — especially their inflated speculation and outlandish early-expectations for projects just emerging from the cryptographic womb — could become the catalyst for a trend of rug pulls, Ponzi schemes, and pump & dump projects which pursue short-term monetary gains, akin to the ICO token era of 2017.

Although a handful of the asset launched during the initial coin offering (ICO) craze became successful, a vast number experienced catastrophic falls from financial grace, tarnishing the integrity and confidence of the entire cryptocurrency space, as well as fueling the often contemptuous mainstream narrative.

Feels like we're back to the good old ICO token days. But instead of white papers we now get airdrops and rugs.What a great way to end the $YEAR

— richerd.eth ᵍᵐ (@richerd) December 31, 2021

Circulating rumors of potential MetaMask and OpenSea tokens are cultivating optimism for the construction of a truly decentralized and community-centric Web 3.0 industry. Whether this technological utopia becomes reality amid the motivations of venture capitalists and tech giants is another matter of debate.

Tags
Defi
Tokens
Hacks
Airdrop
Scams
Related Posts
Battle of the bots: WTF token launch drains 58 ETH
Fees.wtf is a simple service that shows Ether (ETH) users their lifetime spend on Ethereum blockchain transactions by measuring gas. You plug in your wallet address on their website and they tell me how much gas you spent. The project released their token, WTF, in an airdrop Friday at midnight. Essentially, users would be able to claim WTF tokens as well as a “Rekt” NFT for 0.01 ETH. The Rekt NFT grants lifetime access to the pro version of fees.wtf. According to their Discord announcement, the initial launch would offer 100 million of WTF and the “circulating supply will be …
Blockchain / Jan. 14, 2022
Inverse Finance exploited again for $1.2M in flash loan oracle attack
Just two months after losing $15.6 million in a price oracle manipulation exploit, Inverse Finance has again been hit with a flash loan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC). Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol and a flash loan is a type of crypto loan that is usually borrowed and returned within a single transaction. Oracles report outside pricing information. The latest exploit worked by using a flash loan to manipulate the price oracle for a liquidity provider (LP) token used by the protocol’s money market …
Defi / June 17, 2022
Ankr confirms exploit, asks for immediate trading halt
The BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1. The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB (BNB) staked on the protocol. The exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds and has successfully gained around 5 million USD Coin (USDC) Seems that @ankr got hacked an hour ago! The exploiter minted 20T aBNBc and dumped it on #PancakeSwap. At present, the exploiter have …
Defi / Dec. 2, 2022
BingChatGPT 'pump & dump' tokens emerging by the dozens: Peckshield
Blockchain security firm Peckshield has raised the alarm after finding dozens of tokens purporting to be related to artificial intelligence (AI) powered chatbot ChatGPT. In a Feb. 20 post, the firm revealed at least three "BingChatGPT" tokens appear to be part of honeypot schemes — a smart contract that tricks a user into sending Ethereum (ETH), which the attacker then traps and retrieves. According to Peckshield, at least two of the tokens identified have already lost nearly 100% of their value, while a third is at a 65% loss — in what is often referred to as a “pump and …
Blockchain / Feb. 21, 2023
Developers seek solutions for Web3-related scams from internet browsers
A big concern for users in decentralized finance (DeFi) involves the industry’s susceptibility to exploits. A report from Privacy Affairs revealed hackers stole $4.3 billion worth of cryptocurrency in the time period from January to November 2022 — a 37% increase from the previous year. Such exploits harm the integrity of companies and fuel skeptics from outside of the space in their case against cryptocurrencies. However, in a Feb. 2 announcement from Web3 Builders Inc., the company revealed a suite of tools to combat this issue. The initial browser extension TrustCheck was created to flag Web3-related scams before users continue …
Adoption / Feb. 2, 2023